Let's see what "shared responsibility model" means. If Microsoft is not lying to customers, this means the first thing they should do is investigating whether or not the flaw was exploited in any of the tenants at no cost for the customer.
Or...wait a second... No they aren't, they already asked customers to reset their keys, which basically means they did not investigate.
Yikes. 30% of Cosmos DB customers were vulnerable to this attack.
I'm really looking forward to seeing the details of this exploit. It sounds like it was a service authorization that failed to check account boundary limits. That is a massive failure for a serverless database.
Putting aside this specific failure, the way all the cloud providers are trying to interconnect their service offerings makes me increasingly nervous. It is too easy to accidentally grant overly permissive IAM policies without realizing it.
Not quite. To clarify, 30% of customers were notified of the issue. A larger, currently undetermined number are projected to have been exposed to the vulnerability.
"every Cosmos DB customer should assume they’ve been exposed" — Wiz.
Seriously doubt there are more than 30% of Microsoft customers who ran CosmosDB with a wide open firewall. Any serious corporate customer would be in breach of even the most basic security/compliance rules.
This is an extraordinary position to take, one because it assumes "serious corporate customers" somehow take security seriously. Every. Week. There's a new breach from a "serious corporate customer".
Then there's this:
> So you can imagine our surprise when we were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, *including many Fortune 500 companies*.
Or...wait a second... No they aren't, they already asked customers to reset their keys, which basically means they did not investigate.
Shared responsibility my a..!